The attacker made use of an exploit that allowed entire liquidity pools to be withdrawn as “fees.”
The team behind the Raydium decentralized exchange (DEX) has announced details as to how the hack of Dec. 16 occurred and offered a proposal to compensate victims.
According to an official forum post from the team, the hacker was able to make off with over $2 million in crypto loot by exploiting a vulnerability in the DEX’s smart contracts that allowed entire liquidity pools to be withdrawn by admins, despite existing protections being to prevent such behavior.
The team will use its own unlocked tokens to compensate victims who lost Raydium tokens, also known as RAY. However, the developer does not have the stablecoin and other non-RAY tokens to compensate victims, so it is asking for a vote from RAY holders to use the decentralized autonomous organization (DAO) treasury to buy the missing tokens to repay those affected by the exploit.
1/ Update on remediation of funds for recent exploit
First, thanks for everyone’s patience up to now
An initial proposal on a way forward has been posted for discussion. Raydium encourages and appreciates all feedback on the proposal.https://t.co/NwV43gEuI9
— Raydium (@RaydiumProtocol) December 21, 2022
According to a separate post-mortem report, the attacker’s first step in the exploit was to gain control of an admin pool private key. The team does not know how this key was obtained, but it suspects that the virtual machine that held the key became infected with a trojan program.
Once the attacker had the key, they called a function to withdraw transaction fees that would normally go to the DAO’s treasury to be used for buybacks of RAY. On Raydium, transaction fees do not automatically go to the treasury at the moment of a swap. Instead, they remain in the liquidity provider’s pool until withdrawn by an admin. However, the smart contract keeps track of the amount of fees owed to the DAO through parameters. This should have prevented the attacker from being able to withdraw more than 0.03% of the total trading volume that had occurred in each pool since the last withdrawal.
Nevertheless, because of a flaw in the contract, the attacker was able to manually change the parameters, making it appear that the entire liquidity pool was transaction fees that had been collected. This allowed the attacker to withdraw all of the funds. Once the funds were withdrawn, the attacker was able to manually swap them for other tokens and transfer the proceeds to other wallets under the attacker’s control.
Related: Developer says projects are refusing to pay bounties to white hat hackers
In response to the exploit, the team has upgraded the app’s smart contracts to remove admin control over the parameters that were exploited by the attacker.
In the Dec. 21 forum post, the developers proposed a plan to compensate victims of the attack. The team will use its own unlocked RAY tokens to compensate RAY holders who lost their tokens due to the attack. It has asked for a forum discussion on how to implement a compensation plan using the DAO’s treasury to purchase non-RAY tokens that have been lost. The team is asking for a three-day discussion to take place to decide the issue.
The $2 million Raydium hack was first discovered on Dec. 16. Initial reports said that the attacker had used the withdraw_pnl function to remove liquidity from pools without depositing LP tokens. But since this function should have only allowed the attacker to remove transaction fees, the actual method by which they could drain entire pools was not known until after an investigation had been conducted.